CVE-2025-41750 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Phoenix Contact FL SWITCH 2005 device’s web-based management interface, specifically the pxc_PortCfg.php component. The flaw arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts into the web interface. An unauthenticated remote attacker can exploit this by crafting a malicious URL that, when visited by an authenticated user, executes the injected script within the user's browser context. This script can manipulate configuration parameters exposed by the web management interface, potentially altering device settings without direct system-level access. The session cookie is protected by the httpOnly flag, which prevents attackers from stealing session tokens via script access, limiting the attacker's ability to hijack sessions. The vulnerability requires user interaction (clicking the malicious link) but no prior authentication, increasing the attack surface. The CVSS v3.1 base score is 7.1, reflecting high severity due to network attack vector, low attack complexity, no privileges required, but user interaction needed, and impacts on confidentiality, integrity, and availability within the scope of the web application. Although no public exploits are known, the vulnerability poses a significant risk to device configuration integrity and network reliability.

For European organizations, especially those in industrial, manufacturing, energy, and critical infrastructure sectors that deploy Phoenix Contact FL SWITCH 2005 devices, this vulnerability presents a risk of unauthorized configuration changes. Such changes could disrupt network segmentation, degrade operational technology (OT) network performance, or open pathways for further attacks. The inability to access system-level resources limits the scope of direct system compromise, but manipulation of device parameters can indirectly impact availability and integrity of network operations. Confidentiality impact is limited to the web application context, but integrity and availability impacts are more pronounced due to potential misconfiguration. Given the reliance on these switches in industrial control systems (ICS) and critical infrastructure, exploitation could lead to operational disruptions or safety risks. The requirement for user interaction means phishing or social engineering campaigns targeting network administrators or operators are likely attack vectors. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation.

1. Apply vendor patches or firmware updates as soon as they become available to address the XSS vulnerability directly. 2. If patches are not yet available, implement web application firewalls (WAFs) or intrusion prevention systems (IPS) with rules to detect and block malicious payloads targeting the pxc_PortCfg.php endpoint. 3. Restrict access to the web management interface to trusted networks and IP addresses using network segmentation and access control lists (ACLs). 4. Enforce multi-factor authentication (MFA) for accessing the web management interface to reduce the risk of unauthorized access even if a user is tricked into clicking a malicious link. 5. Conduct user awareness training focused on phishing and social engineering risks, emphasizing caution with unsolicited links related to network device management. 6. Monitor logs and network traffic for unusual configuration changes or access patterns to detect potential exploitation attempts. 7. Disable or limit web management interface access where possible, using alternative secure management methods such as out-of-band management or VPNs. 8. Regularly review and audit device configurations to detect unauthorized changes promptly.